Out of all industries, the ones that deal with the most detailed and rich personal data suffer the most from data breaches. Healthcare and financial sector are incredibly vulnerable to data breaches and bear the heaviest burden of identifying and containing the data breach.
The average cost of a data breach in the healthcare sector is $380 per stolen record. An average number of individual records affected by a data breach amounts to over 24,000. Healthcare data is unique because it cannot be altered. Records of chronic diseases and prescriptions, blood type, retinal scans, DNA and other extremely private and uniquely identifying aspects of individual’s life contain the data that are not just financially valuable, but also can cause significant damage to personal integrity. Moreover, health records are a type of data that every person in the world entrusts to one or another medical institution. Privacy-conscious people may avoid storing their personal information on social media or entrusting it to web-based service providers. But medical records are the data every person submits to their health service provider, willingly or unwillingly, starting from childhood when a legal guardian makes decisions. Medical data create the most complete and intimate portrait the data subject, and this determines the core value of medical records. Stolen medical data are often sold on the dark web, used for blackmail, leveraged by insurance companies, or misused for fraudulent billing.
There are multiple ways to conduct a cyber attack on a healthcare provider and access personal medical records: including getting access to an employee email through phishing or gaining physical access to an unprotected employee device. In other cases, human error or database misconfiguration accidentally expose the medical data to public access. For the service providers, protecting the operational network and encrypting medical data of their users is a key cybersecurity challenge.
Database misconfiguration due to technical error risks exposing patient data to public access online. If the data are kept in unencrypted storage, they can easily be copied and distributed outside the organisation. Medical service providers that take encryption and network security seriously use a virtual private network to configure their data storage and contain user databases within a private digital space.
VPNpro offers a comparative overview of VPN providers that can be used to secure medical databases and protect them from data breaches. Using VPN for all internal communications and data transfers – not just data storage – is a prerequisite for reliable system security.
In 2018, Singapore was hit by a major data breach that affected a quarter of all medical records in the country. The state healthcare network SingHealth was breached by a carefully planned attack, the main target of which was allegedly the country’s Prime Minister. A vast amount of personal data, including names, addresses, ID and health records were obtained by hackers, who only had to gain access to one medical station to be able to infect the entire SingHealth system with malware.
Ransomware remains one of the most common cyber attacks in the digital world. When ransomware infects the network of a healthcare service provider, encrypts the data and requires a ransom payment to release the records, there is very little a company can do to retrieve the data without paying the requested ransom. In Europe, WannaCry ransomware attack on the British NHS was perhaps the most well-known cyber attack of recent years, although the damage it caused was rather limited – to the extent we are currently aware of. Unlike the cyber attack on SingHealth, the NHS incident was not a targeted attempt to obtain medical records of a particular individual. WannaCry ransomware originated outside the UK but spread from ‘patient zero’ to the entire network through a shared vulnerability. The attack could have been easily prevented if the NHS had kept its software updated and firewall installed. Although the attack did not affect any individual records or cause significant damage, it did disrupt the NHS services for some time. More importantly, it made the cybersecurity professionals aware of the risks such attack could pose to medical infrastructure and personal medical records.
The EU General Data Protection Regulation is at the moment the leading global legislation that obliges operators in the private and public sector to report breaches and ensure data security in a timely manner. The escalating digitalisation in the medical record-keeping will put more pressure on healthcare providers to keep their cybersecurity practices up-to-date and ready. Medical data breaches, for services providers, result not just in the legal and technical costs of dealing with the breach, but in the loss of customer trust and reputation damage. The cost of identifying, containing, investigating and managing the data breach incident in the medical industry are substantially higher than those in the government sector, financial services, or retail.